Professional Documents
Culture Documents
029-Introduction To Firewall
029-Introduction To Firewall
The firewall is the barrier between a trusted and untrusted network, often used between your
LAN and WAN. It’s typically placed in the forwarding path so that all packets have to be
checked by the firewall, where we can drop or permit them.
Stateful Filtering
Firewalls, like routers can use access-lists to check for the source and/or destination address or
port numbers. Most routers however, don’t spend much time at filtering…when they receive a
packet, they check if it matches an entry in the access-list and if so, they permit or drop the
packet. That’s it.
Firewalls, on the other hand, use stateful filtering. They keep track of all incoming and outgoing
connections. Here are some examples:
A computer on the LAN uses its email client to connect to a mail server on the Internet.
The client will start the connection with a TCP three-way handshake, which the firewall
sees. The firewall will keep track of this connection and when the mail server responds,
the firewall will automatically permit this traffic to return to the client.
A web server is sitting behind a firewall; it’s a busy server that accepts an average of 20
new TCP connections per second from different IP addresses. The firewall keeps track of
all connections, once it sees a source IP address that is requesting more than 10 new TCP
connections per second; it will drop all traffic from this source IP address, preventing a
DoS (Denial of Service).
Packet Inspection
Most firewalls support some form of (deep) packet inspection. Simple access-lists only check
source/destination addresses and ports, that’s layer 3 and 4 of the OSI model. Packet inspection
means we can inspect up to layer 7 of the OSI model.
Instead of blocking all IP addresses that belong to lolcats.com, you can create a filter that
looks for the URI in HTTP requests and block those instead. You won’t have to worry
about IP addresses of web servers that might change in the future.
2 [Introduction to Firewalls]
Your firewall can check the payload to block any packets that contains known worms or
viruses.
Security Zones
The interfaces have been assigned to the correct security zone. These zones have two simple
rules:
If you want to make an exception, and permit traffic from the WAN to the LAN then this can be
accomplished with an access-list.
Most companies will have one or more servers that should be reachable from the Internet.
Perhaps a mail or web server. Instead of placing these on the INSIDE, we use a third zone called
the DMZ (Demilitarized Zone). Take a look at the picture below:
3 [Introduction to Firewalls]
The DMZ security zone will have a security level that is in between the INSIDE and OUTSIDE.
This means that:
To ensure traffic from the OUTSIDE is able to reach the servers in the DMZ, we will use an
access-list that only permits traffic to the IP address (and port numbers) that the servers in the
DMZ use. This setup is very secure, if one of your servers in the DMZ gets hacked, your
INSIDE network will still be secure.
Note
Some of the features described above are also available on routers. For example, Cisco IOS
routers support the reflexive access-list which is a “poor mans” stateful firewall. Cisco IOS also
supports the Zone Based Firewall, which as the name suggests uses security zones. Hardware
firewalls however, offer a better network performance / throughput.